From 418da85f1528172fb9df376c17f0fd79faf4aebf Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Sat, 30 Jul 2016 16:58:43 +0200
Subject: [PATCH] Fix #71606: Segmentation fault mb_strcut with HTML-ENTITIES

The HTML decoding filter uses the `opaque` member of mbfl_convert_filter
as buffer, but there was no copy constructor defined, what caused double
frees when the filter is copied (what happens multiple times in mb_strcut(),
for instance).
---
 NEWS                                            |  4 ++++
 ext/mbstring/libmbfl/filters/mbfilter_htmlent.c | 10 ++++++++--
 ext/mbstring/libmbfl/filters/mbfilter_htmlent.h |  1 +
 ext/mbstring/tests/bug71606.phpt                | 13 +++++++++++++
 4 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 ext/mbstring/tests/bug71606.phpt

diff --git a/NEWS b/NEWS
index b8da83cd1a5..f82a0f3ac1c 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #74947 (Segfault in scanner on INF number). (Laruence)
   . Fixed bug #74954 (null deref and segfault in zend_generator_resume()). (Bob)
 
+- Mbstring:
+  . Fixed bug #71606 (Segmentation fault mb_strcut with HTML-ENTITIES encoding).
+    (cmb)
+
 - MySQLi:
   . Fixed bug #74968 (PHP crashes when calling mysqli_result::fetch_object with
     an abstract class). (Anatol)
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
index 9d530abfbac..03b26cc0b73 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
@@ -88,7 +88,8 @@ const struct mbfl_convert_vtbl vtbl_html_wchar = {
 	mbfl_filt_conv_html_dec_ctor,
 	mbfl_filt_conv_html_dec_dtor,
 	mbfl_filt_conv_html_dec,
-	mbfl_filt_conv_html_dec_flush };
+	mbfl_filt_conv_html_dec_flush,
+	mbfl_filt_conv_html_dec_copy };
 
 
 #define CK(statement)	do { if ((statement) < 0) return (-1); } while (0)
@@ -309,4 +310,9 @@ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
 	return err;
 }
 
-
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest)
+{
+	*dest = *src;
+	dest->opaque = mbfl_malloc(html_enc_buffer_size+1);
+	memcpy(dest->opaque, src->opaque, html_enc_buffer_size+1);
+}
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
index 6b6ce499517..979f6011ea0 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
@@ -42,6 +42,7 @@ int mbfl_filt_conv_html_enc(int c, mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_enc_flush(mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter);
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest);
 void mbfl_filt_conv_html_dec_ctor(mbfl_convert_filter *filter);
 void mbfl_filt_conv_html_dec_dtor(mbfl_convert_filter *filter);
 
diff --git a/ext/mbstring/tests/bug71606.phpt b/ext/mbstring/tests/bug71606.phpt
new file mode 100644
index 00000000000..a09d7ad8db6
--- /dev/null
+++ b/ext/mbstring/tests/bug71606.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #71606 (Segmentation fault mb_strcut + mb_list_encodings)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip ext/mbstring not available');
+?>
+--FILE--
+<?php
+echo mb_strcut('&quot;', 0, 0, 'HTML-ENTITIES');
+echo 'DONE', PHP_EOL;
+?>
+--EXPECT--
+DONE